Iran Cyber Unit Widens Aviation Attacks Arabian Post

(MENAFN- The Arabian Post) clearfix">Iran-linked hackers have expanded cyber-espionage operations against aviation and software organisations in the United States, Europe and the Middle East, using fake recruitment pitches and search-engine manipulation to deliver malware capable of long-term surveillance and data theft.

The campaign has been tied to Nimbus Manticore, also tracked as UNC1549, Screening Serpens, Smoke Sandstorm and Iranian Dream Job. The group is assessed to be aligned with Iran's Islamic Revolutionary Guard Corps and has built a reputation for targeting defence, aviation, telecommunications, energy and technology networks through carefully tailored social-engineering operations.

The latest activity marks a shift in both scale and method. Earlier operations relied heavily on career-themed phishing, often aimed at software engineers and technology staff with access to sensitive corporate systems. The new campaign adds search engine poisoning, a technique that places malicious websites high in search results so that victims looking for legitimate software are redirected to attacker-controlled download pages.

Aviation emerged as a central focus because of its operational value during the wider Middle East conflict that escalated after the US-Israeli military campaign against Iran began on February 28, 2026. Access to aviation systems, software development environments or corporate credentials could help an intelligence service map logistics, travel patterns, contractor relationships and technology dependencies. Researchers have not publicly confirmed disruption to flight operations, but the targeting underscores the strategic interest in companies supporting transport, aerospace and related digital services.

The group's February activity involved fake career opportunities aimed at selected employees in software and aviation organisations. Targets were induced to download compressed files containing what appeared to be legitimate job or application material. Inside the archive, a benign Microsoft-signed executable was paired with malicious configuration files and a rogue DLL. The infection chain abused AppDomain hijacking, a. NET technique that causes a trusted application to load attacker-controlled code at launch.

See also BitUnlocker exposes BitLocker downgrade gap

The March wave broadened the approach. Attackers impersonated a US-based airline and packaged fake job documents with a malicious“Hiring Portal” archive. Job descriptions carried specific role titles and identification numbers to increase credibility for technical staff. When victims opened the package, the malware displayed a fake error message to make the failed application portal appear ordinary while the infection process continued in the background.

Another branch of the operation used spoofed video-conferencing invitations and a trojanised installer designed to resemble a legitimate meeting-client update. The attackers appeared to exploit the trust built through normal meeting links before sending a lookalike domain that pushed a malicious archive. That technique enabled them to blend malware deployment into a business workflow familiar to executives, engineers and recruiters.

The campaign introduced MiniFast, also referred to in some analysis as MiniUpdate, a previously undocumented backdoor designed for persistent access, remote command execution and data exfiltration. The malware can collect system information, communicate with command servers over HTTP, list directories, execute commands, manage files, enumerate and terminate processes, load DLLs, create ZIP archives and maintain persistence through scheduled tasks.

Several traits suggest that the malware may have been developed with AI assistance. The code showed unusually verbose error handling, repetitive naming patterns, modular organisation and detailed debug-style messages despite its relatively simple purpose. That does not mean the software was fully generated by AI, but it points to the growing role of automated coding tools in speeding up malware development and adaptation during active geopolitical crises.

April brought a further change when Nimbus Manticore used SEO poisoning to distribute malware through a fake SQL Developer download page. Dozens of domains linked to the bogus site, apparently to improve its visibility in search rankings. A developer searching for common database software could therefore be lured into downloading a weaponised installer without receiving a phishing email or fake job offer.

See also Vercel abuse sharpens phishing threat

That pivot is significant because it widens the victim pool. Spear-phishing requires the attacker to identify, approach and persuade a specific target. Search poisoning allows the attacker to wait for suitable users to arrive on their own, including developers, administrators and database engineers who may hold valuable credentials or access to production systems.

The activity fits a broader pattern in Iran-linked cyber operations: heavy use of social engineering, impersonation of trusted brands, abuse of legitimate infrastructure and a focus on sectors with intelligence value. The same ecosystem has been associated with tailored recruitment lures, fake employer portals, cloned business platforms and remote-access malware intended to support espionage rather than immediate public disruption.

MENAFN26052026000152002308ID1111170462